Businesses to report cyber ransoms to federal government under new mandatory scheme

Australian businesses will be required to disclose cyber ransom attacks to the federal government, as lawmakers attempt to shield traders from digital attacks costing billions of dollars each year.

The Australian reports the nation’s incoming cyber security strategy, expected to be revealed this week, will compel businesses to alert authorities if they fall victim to ransomware — computer programs that lock down sensitive information and threaten its release unless the company pays the cybercriminals.

The mandatory system will not carry any penalties for businesses that report being struck by ransomware, according to reports.

Australia last month joined a 40-nation pledge not to pay ransomware demands made against government agencies, and new National Cyber Security Coordinator Air Marshal Darren Goldie has heavily discouraged the payment of ransom.

However, private businesses will not be banned from paying ransoms under the incoming system.

It is currently unclear if the scheme will provide any carve-outs or leniency for small businesses, which cyber security firms say form the majority of ransomware victims.

Even so, The Australian reports the government will consult with businesses on the exact shape of the ransom alert system, giving small businesses a chance to say how it should operate.

In a statement posted to social media, Minister for Cyber Security Clare O’Neil said the system will be partnered by further support for afflicted businesses.

“We’ll create a ransomware playbook that will provide clear guidance to businesses and citizens on how to prepare for, deal with, and bounce back from ransom demands,” she said.

Ransomware attacks were estimated to cost the Australian economy $2.59 billion annually as of 2021.

Recent ransomware attacks include last year’s strike against Optus, in which a hacker threatened to release customer details online unless the telco giant paid them in excess of $1.5 million to relent.

The details of around 10,000 Optus customers were shared online as part of the hack, but Optus said no ransom was paid.

Ransomware is just one weapon used against Australian businesses, which are becoming increasingly susceptible to digital attacks as more business, financial, and customer data is stored online.

Small businesses are particularly vulnerable, according to a new report from the Australian Securities and Investments Commission.

One in three small businesses do not adhere to any cyber security standard, the report found, with small businesses also far less likely to effectively respond and recover from cyber attacks compared to their larger competitors.